Privacy Risk Report

Tressler’s Privacy Practice Group brings you recent developments and insights on cyber liability, privacy and data storage.

On January 7, 2022, the Northern District issued an opinion regarding whether the claims contained in a lawsuit alleging the violation of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq., were covered under a Businessowners’ Liability Policy. An employee of the insured filed a class action complaint in Kankakee County, Illinois, against the insured for violating BIPA. The insured required its employees to use a biometric time clock system to record their time. This system required the insured’s employees to scan their fingerprints to clock in and clock out. This information was then disclosed to the
Continue Reading Northern District of Illinois Finds Employment-Related Practices Exclusion Applies to BIPA Suit

“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple
Continue Reading Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year?

In a decision last week entitled Landry’s, Inc. v. The Ins. Co. Of The State Of Pennsylvania, No. 19-20430, 2021 WL 3075937 (5th Circ., July 21, 2021), the Fifth Circuit Court of Appeals found coverage under a CGL Policy for a traditional data breach. More particularly, the Fifth Circuit held the insurer has a duty to defend Landry’s in the litigation that resulted from a breach incident involving credit card information. This case marks a departure from the general premise that there is no coverage to be found under CGL policies for liability resulting from “classic” data breach incidents.
Continue Reading Fifth Circuit Rejects Insurance Carrier’s Arguments As “Salami-Slicing Distinctions” In Finding Coverage For Breach Of Contract Claims Related To Data Breach

On May 20, 2021, the Illinois Supreme Court delivered its opinion in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978[1] regarding whether the claims contained in a lawsuit alleging the violation of the Biometric Information Privacy Act (“BIPA”) were covered under a business owners’ liability policy.
In the underlying lawsuit, Klaudia Sekura (“Sekura”)[2] filed a class-action suit against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon and franchisee of L.A. Tan for violating BIPA by requiring its customers, including Sekura, to scan their fingerprints without first getting their signed, written release to allow
Continue Reading Illinois Supreme Court Finds “Publication” In Some BIPA Claims

The Indiana Supreme Court became one of the first state high courts to weigh in and issue a decision on whether crime insurance provides coverage for ransomware attacks. The trial court’s ruling in favor of Continental Western Insurance Co.’s motion for summary judgment upheld the denial of G&G Oil Co.’s bid for coverage. The Supreme Court remanded the case because further fact-finding was necessary to uncover the “fraudulent” nature of the hacker’s actions. It was important to determine how the hacking was conducted. Therefore, until this information is uncovered, neither party was entitled to summary judgment.
The case arose out
Continue Reading Hack Attack: Indiana Supreme Court Examines Ransomware Coverage 

There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even
Continue Reading The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA

While this year has been an unpredictable year for all data collectors, it has been especially harsh for public and private schools. In addition to various obligations on all data collectors, schools hold sensitive information belonging to children that require more obligations.  Schools must balance these obligations as they lead their students and employees through online learning during 2020. That is, to continue teaching children, most schools have had no choice but to rely on third-party applications that require entrusting this sensitive data to outside vendors. Further, many schools are facing new state laws requiring schools more steps be taken to protect
Continue Reading Hackers See Opportunity In Attacking Schools As They Teach Through A Pandemic

While data collectors had no time to prepare for employees to start working from home in early 2020, there is time to prepare for the shift back to the office.
Without a doubt, many data collectors are struggling with the cybersecurity risks created by employees shifting from the office to their homes in 2020. Interestingly, despite having no time to prepare for the shift home in early 2020, we have not heard much news about breaches or other incidents.  Nevertheless, data collectors can be certain that cybersecurity issues created by employees using sensitive data while working remotely are out there. These
Continue Reading We Are Just Beginning To Understand The Privacy Threats Created By Working From Home

On September 18, 2020, the Illinois Court of Appeals, First District, took another shot at reconciling some of the inconsistencies in the application of Illinois’ Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2018)) to the workplace. The interlocutory appeal in McDonald v. Symphony Bronzeville Park LLC, 2020 IL App (1st) 192398 (Sept.18, 2020), put a single issue before the First District: “Do[] the exclusivity provisions of the Workers’ Compensation Act bar a claim for statutory damages under [BIPA] where an employer is alleged to have violated an employee’s statutory privacy rights under [BIPA]?”  However, the First
Continue Reading Missed Opportunity? Illinois Court Issues Limited Finding That Workers’ Compensation Act Does Not Preempt Claims For Statutory Damages Under BIPA But Does Not Address How Actual Damages Should Be Addressed Under BIPA

It is difficult to believe the Illinois Biometric Information Protection Act, 740 ILCS 14, (“BIPA”) has been in effect for more than 10 years since October 3, 2008. Many data collectors are surprised BIPA has been in effect for all these years. Issues related to biometric data have only recently grown into a major concern as the equipment that collects biometric data has evolved to the point that it can be found in a number of Illinois workplaces and businesses. To this point, the central issue in most of the BIPA cases involved allegations that data collectors collected and stored
Continue Reading New Lawsuit Alleges BIPA Violations Result From Macy’s Reliance On Clearview AI To Scrape Information

Data collectors constantly struggle to balance the need for honest self-critiques of their data protection safeguards with the desire to not generate information that may be used in litigation. Indeed, it is encouraging to see a number of data collectors hiring third-party experts to look at safety measures and issue reports on their findings before there is an incident. Of course, these reports are only useful if they include an honest assessment of a data collector’s incident response preparation, digital forensics and incident remediation.  Understandably, there is trepidation that the findings in the reports may be used to establish liability
Continue Reading Courts Continue To Find Third-Party Reports Generated Before And After Privacy Incidents Are Not Protected From Discovery   

The latest decision related to Illinois’ Biometric Information Protection Act (“BIPA”) was issued by the Illinois Court of Appeals on June 16, 2020, in a matter entitled Cothron v. White Castle System, Inc, 2020 WL 3250706 (June 16, 2020). Latrina Cothron (“Cothron”) began working at White Castle in 2004 and was still a manager at the time she filed suit. As a side note, the Cothron matter differs from many BIPA suits to the extent the plaintiff remains an employee before and after filing suit. Many BIPA cases involve claims by former employees that were terminated prior to bringing suit.
Continue Reading White Castle’s Motion To Dismiss Denied In BIPA Litigation

Over the last few months, cyber security issues may have taken a backseat to health and economic issues. Thankfully, there has not been a major cyber incident during the coronavirus pandemic. To pick up where we were before the pandemic, we were closely analyzing the number of court decisions where it was found that a litigant could not establish standing to bring a lawsuit for a data breach. However, it is only a matter of time until we are again analyzing privacy cases. The recent decision in Jantzer v. Elizabethtown Community Hosp., 2020 WL 2404764 (N.D. New York May 12, 2020), provides the perfect opportunity
Continue Reading New Decision Provides Reminder Of Privacy Law Before The Pandemic

On May 5, 2020, the United States Court of Appeals for the Seventh Circuit issued a decision that will have an immediate impact on litigation concerning Illinois’ Biometric Information Protection Act (“BIPA”). The decision in Bryant v. Compass Group USA, Inc., 2020 WL 2121463 (7th Cir. 2020), puts to rest the question of whether a litigant can establish Article III standing in a federal court for BIPA claims.

Prior to the Bryant decision, a number of federal district courts found BIPA plaintiffs did not have standing to bring an action in federal court because they could not allege an “imminent,
Continue Reading Seventh Circuit Court Of Appeals Reopens Doors To Federal Courts For BIPA Plaintiffs

Illinois schools must comply with the Student Online Personal Protection Act by July 1, 2021. While many schools may not have been aware of this deadline or have been pushing compliance down the road, the coronavirus pandemic has put SOPPA compliance in a new light. Illinois schools are quickly realizing that their contractual relationships with educational technology companies and the use of student data are issues that must be addressed immediately. Therefore, this coming summer provides schools a unique opportunity to both get in compliance with SOPPA early and prepare for an uncertain fall semester.

  • The Second Half Of

Continue Reading This Summer Provides A Unique Opportunity For Student Data Privacy

One bright spot in recent events has been to see our kids stay focused as students and to see teachers continue their great work while bunkered down from their homes. Nevertheless, it may be worthwhile to pause to think about the technology that makes this all possible. One lawsuit recently filed in California sheds light on the privacy issues created when students, schools and teachers become increasingly reliant on “e-learning” and the technology that supports it.
On April 2, 2020, a class-action lawsuit was filed in the District Court for the Northern District of California entitled H.K. and J.C., through
Continue Reading The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA